View Single Post
  #28 (permalink)  
Old 05-18-2018, 6:14 PM
Hooligan's Avatar
Hooligan Hooligan is offline
Join Date: May 2002
Location: Clark County, Nevada
Posts: 1,126

Dear Cameron has been a RadioReference member for the past 5 years -- SHOCKER!!

Here's a rant I emailed some friends after I saw the FCC Consent Decree (which seems to be the only official information about this situation):


[MPSCS is a statewide 800MHz/700MHz P25 trunked radio system used by most state/county/local
public safety plus some federal users. Having a radio programmed for this sort of trunked
system means that by doing something seemingly innocuous like just turning the radio on,
the radio will transmit to the network & try to log-onto it (like a cellphone does), unlike
a conventional two-way radio
where turning it on simply powers-up the radio but it doesn't transmit unless the operator
takes deliberate action to do so. Some aspects of the MPSCS are about 25 years old but
over the past couple years they've been modernizing the system. Yet we can expect the state
to use this incident to their advantage as they ask for funds to
get more encryption, switch to P25/Phase II, express a desire to migrate to LTE, etc. but
the REALITY-CHECK is any competent radio system manager/security analyst could & should have
warned about the cloned-radio intrusion & system key vulnerabilities about 20 years ago.]

Note: I'm not trying to defend the kid -- he transmitted on radio
spectrum he didn't have legit access to, and 'intruded' into a computer
system (accessing the MPSCS site/network controller via simply turning-on/off
his radio programmed for the MPSCS), both of which are federal offenses.


So I'm wondering if he was actually talking on MPSCS, or if the
average 4.8 second transmission consisted of
hm turning on the radio, it logging-on to the network, affiliating with
a certain TG via certain site -- still
naughty/illegal, but much different than him trying to run
license-plates, etc. If he intruded on the system for a couple
years before finally being busted & they traced 989 "transmissions" to
his radio, that # plus the average transmission
length seems consistent to me with him mostly turning on/off the radio &
maybe switching between a couple
talk-groups -- 989 times, his radio communicated with the zone/system
controller. There's no talk of whether he actually had the 'secret' SYSTEM KEY
in his radio, so the 989 transmissions over 2 years could actually have been
his radio trying to affiliate with the system (providing the cloned radio-ID),
but the controller responding back & denying the radio access ('bonking' him)
because the radio didn't have the System Key. On the other hand, there's
plenty of open-source discussions on radio or radio-hacker online forums
about how to obtain or even make good guesses as-to the system key for a trunked
radio system.

I don't find any media articles about this case -- I expect the State of
Michigan did NOT want this
publicized, though they're not the first public safety agency to have
their "sophisticated" statewide
trunked radio system intruded upon this way. I guarantee you that the
Michigan Intelligence Operations
Center (state fusion center) sent out a LE-Sensitive BOL to all Michigan
LEOs warning
them to be on the lookout for anyone with a [types of radios that could
be programmed for MPSCS] &
ask questions, if the person isn't affiliated with a LEA or other public
safety entity (Michcon, for example) that has access to MPSCS.

But possession of a Motorola radio itself is not a crime & there are
plenty of legit, legal uses --
business, amateur radio, or whatever so possession of one, especially if
it's turned OFF & not
showing a channel name like LANSING P911 or blaring audio of what is
clearly a LE channel doesn't
in itself grant an officer any reasonable suspicion to believe a
criminal act has/is/or soon will take place.

I think in this situation, the 19 year old was nervous & didn't have
the maturity to just turn off the
radio, tell the officer he's a ham & uses the radio for amateur radio,
and politely refuse to answer any
other questions not pertaining to the reason for contact (a traffic
violation). The officer (probably) asked
to see the radio, the young kid didn't know his rights & wanted to
appear cooperative, so he somewhat
unwittingly gave consent for a search, that led to seizure & a criminal
investigation. All perfectly legal,
but also perfectly preventable had the dumb kid set the radio up with a
password, had it turned off
& not in plain sight inside the vehicle, *and* politely rejected the
officer 'going fishing' on a traffic stop.

Social-media photos show that he had a receive-only 'police-scanner' that
was completely capable of monitoring the MPSCS, but having a Motorola
professional radio looks cooler, will receive the system better,
can impress/intimidate people, and is simply just something that
a 'radio-geek' who can afford the Motorola radio (easy to buy older,
used ones, fairly cheap) may want to play-around with. I don't know what model
radio he had, but assuming it was 700/800MHz only & not one of the multi-band
handhelds that are still pretty expensive, even used, there is no amateur-radio
spectrum in 700/800MHz.

Of course, he's on RadioReference...
N8CAM Shack and Equipment Photos

I am the King of All Monitoring.
Reply With Quote